LXC-4.0.6 in Debian 11.x : lxc.cap.drop "sys_admin"?

In my tests with the debops.lxc ansible role and a Debian 11.x VM I somehow found out that my containers only started with dropping the “sys_admin” capability. As far as I remember I took that from some bug report or support thread, I can’t find that one anymore right now.

Is it correct to drop that, is it necessary, or is that maybe be fixed in LXC-4.0.9? I wonder if 4.0.9 will be part of stable Debian-11.x, though.


I have to correct:

I do NOT drop that cap.

PR (WIP): https://github.com/debops/debops/pull/1705